public function login()
{
// Sanitize the username and store the password for hashing
if (SIV::validate($_POST['username'], SIV::USERNAME) === TRUE) {
$username = $_POST['username'];
$password = $_POST['password'];
} else {
return FALSE;
}
FB::log($username, "Username");
// Load user data that matches the supplied username
$userdata = $this->get_user_data($username);
FB::log($userdata);
// Make sure a user was loaded before continuing
if (array_key_exists('email', $userdata) || array_key_exists('password', $userdata) || array_key_exists('username', $userdata) || array_key_exists('display', $userdata) || array_key_exists('clearance', $userdata)) {
// Extract password hash
$db_pass = $userdata['password'];
FB::log($this->createSaltedHash($password, $db_pass), "Password Hash");
FB::log($db_pass === $this->createSaltedHash($password, $db_pass), "Passwords Match");
// Make sure the passwords match
if ($db_pass === $this->createSaltedHash($password, $db_pass) && AdminUtilities::check_session()) {
// Save the user data in a session variable
$_SESSION['user'] = array('name' => $userdata['display'], 'email' => $userdata['email'], 'clearance' => $userdata['clearance']);
FB::log($_SESSION, "Session");
// Set a cookie to store the username that expires in 30 days
setcookie('username', $username, time() + 2592000, '/');
return TRUE;
} else {
return FALSE;
}
} else {
return FALSE;
}
}
public static function read_url()
{
// Get the document root
$root = dirname($_SERVER['SCRIPT_FILENAME']);
// Make sure the root has a trailing slash
if (substr($root, -1) !== '/') {
$root .= '/';
}
// Get any subfolders out of the path
$sublevels = dirname($_SERVER['SCRIPT_NAME']);
// Load the URI
$address_bar_uri = $_SERVER['REQUEST_URI'];
// Remove any subfolders from consideration as variables
if ($sublevels !== '/') {
$to_parse = str_replace($sublevels, NULL, $address_bar_uri);
} else {
$to_parse = $address_bar_uri;
}
// Separate URI variables from the query string
$script_vars = explode('?', $to_parse);
// Only store the URI variables
$request = $script_vars[0];
// Check for double slashes
$absolute_file_path = str_replace('//', '/', $root . $request);
// Check if the URI is requesting a valid file and load it if so
if (file_exists($absolute_file_path) && $_SERVER['SCRIPT_NAME'] !== $absolute_file_path && $request !== "/") {
// To make sure
if (substr($absolute_file_path, -1) === '/') {
$request .= 'index.php';
}
FB::log($absolute_file_path, "Requested File");
require_once $absolute_file_path;
exit;
} else {
$url = SIV::clean_output($request, FALSE, FALSE);
$url_array = explode("/", $url);
array_shift($url_array);
}
if (!isset($url_array[0]) || strlen($url_array[0]) < 1) {
$url_array[0] = DB_Actions::get_default_page();
}
return $url_array;
}
protected function get_comment_subscriptions_by_email($email)
{
$sql = "SELECT\n `" . DB_PREFIX . "comments`.`entry_id`,\n `" . DB_PREFIX . "entries`.`title`\n FROM `" . DB_NAME . "`.`" . DB_PREFIX . "comments`\n LEFT JOIN `" . DB_NAME . "`.`" . DB_PREFIX . "entries`\n USING( `entry_id` )\n WHERE `" . DB_PREFIX . "comments`.`email`=:email\n AND `subscribed`=1\n ORDER BY `title`";
try {
// Validate the email
if (SIV::validate($email, SIV::EMAIL)) {
$stmt = $this->db->prepare($sql);
$stmt->bindParam(":email", $email, PDO::PARAM_STR);
$stmt->execute();
$entries = $stmt->fetchAll(PDO::FETCH_OBJ);
$stmt->closeCursor();
return $entries;
} else {
ECMS_Error::log_exception(new Exception('Invalid email!'));
}
} catch (Exception $e) {
ECMS_Error::log_exception($e);
}
}
public function update_menu()
{
// Clean up the posted data
foreach ($_POST as $key => $val) {
// if( $key==='page_slug' && SIV::validate($val, SIV::SLUG) )
// {
// $$key = $val;
// }
// else
// {
//TODO Add error handling and send back to form
// }
${$key} = SIV::clean_output($val, FALSE, FALSE);
}
$sql = 'INSERT INTO `' . DB_NAME . '`.`' . DB_PREFIX . 'pages`
(
`page_id`, `page_name`, `page_slug`, `type`, `menu_order`,
`show_full`, `hide_in_menu`, `parent_id`, `extra`
)
VALUES
(
:page_id, :page_name, :page_slug, :type, :menu_order,
:show_full, :hide_in_menu, :parent_id, :extra
)
ON DUPLICATE KEY UPDATE
`page_name`=:page_name, `page_slug`=:page_slug,
`type`=:type, `menu_order`=:menu_order,
`show_full`=:show_full, `hide_in_menu`=:hide_in_menu,
`parent_id`=:parent_id, `extra`=:extra';
try {
$stmt = $this->db->prepare($sql);
$stmt->bindParam(":page_id", $page_id, PDO::PARAM_INT);
$stmt->bindParam(":page_name", $page_name, PDO::PARAM_STR);
$stmt->bindParam(":page_slug", $page_slug, PDO::PARAM_STR);
$stmt->bindParam(":type", $type, PDO::PARAM_STR);
$stmt->bindParam(":menu_order", $menu_order, PDO::PARAM_INT);
$stmt->bindParam(":show_full", $show_full, PDO::PARAM_INT);
$stmt->bindParam(":hide_in_menu", $hide_in_menu, PDO::PARAM_INT);
$stmt->bindParam(":parent_id", $parent_id, PDO::PARAM_INT);
$stmt->bindParam(":extra", $extra, PDO::PARAM_STR);
$stmt->execute();
$result = $stmt->errorCode() === '00000';
$stmt->closeCursor();
return $result;
} catch (Exception $e) {
ECMS_Error::log_exception($e);
}
}
private static function _create_class()
{
// Make sure the page conforms to the slug format
if (SIV::validate($_REQUEST['page'], SIV::SLUG)) {
$page = strtolower($_REQUEST['page']);
$page_data = DB_Actions::get_page_data_by_slug($page);
} else {
// Throw an exception and die
ECMS_Error::log_exception(new Exception("Page \"{$page}\" isn't valid."));
}
// The Admin class is a special case, and needs to be loaded manually
if ($page === 'admin') {
require_once CMS_PATH . 'core/helper/class.admin.inc.php';
$class = 'Admin';
} else {
if ($page === 'menu') {
$class = 'Menu';
} else {
if ($page === 'comments') {
require_once CMS_PATH . 'core/helper/class.comments.inc.php';
$class = 'Comments';
} else {
if (is_object($page_data)) {
$class = $page_data->type;
if (empty($class)) {
// Throw an exception and die
ECMS_Error::log_exception(new Exception("Page \"{$page}\" doesn't actually exist."));
}
} else {
// Throw an exception and die
ECMS_Error::log_exception(new Exception("Unsupported page type \"{$page}\" supplied."));
}
}
}
}
// Create a new instance of the appropriate class
return new $class(array($page));
}
public function update_notification_settings()
{
// Make sure the user clicked the update button, not the cancel button
if (array_key_exists('comment-notification-submit', $_POST)) {
// Grab the entries for which the user still wants notifications
if (array_key_exists('entries', $_POST) && is_array($_POST['entries'])) {
foreach ($_POST['entries'] as $entry_id) {
if (!isset($where_clause)) {
$where_clause = ' `entry_id`<>' . (int) $entry_id;
} else {
$where_clause .= ' OR `entry_id`<>' . (int) $entry_id;
}
}
} else {
$where_clause = 1;
}
// Extract the email and validate it
$decoded_email = Utilities::hextostr($_POST['email']);
if (SIV::validate($decoded_email, SIV::EMAIL)) {
$email = $decoded_email;
} else {
ECMS_Error::log_exception(new Exception("Invalid email!"));
}
// Build the SQL query
$sql = "UPDATE `" . DB_NAME . "`.`" . DB_PREFIX . "comments`\n SET `subscribed`=0\n WHERE email = :email\n AND ( {$where_clause} )";
try {
$stmt = $this->db->prepare($sql);
$stmt->bindParam(":email", $email, PDO::PARAM_STR);
$stmt->execute();
$stmt->closeCursor();
return TRUE;
} catch (Exception $e) {
ECMS_Error::log_exception($e);
}
} else {
header('Location: ' . SITE_URL);
exit;
}
}
public function handle_search()
{
$search_string = urlencode(SIV::clean_output($_POST['search_string'], FALSE, FALSE));
header('Location: /search/' . $search_string);
exit;
}
